Securing Web Based Time Clock.



  • Our HR department has discovered that human beings can be dishonest.... (Snark generator disabled).... Our company uses paycom.com as a means to clock into and out of work. It has come to the attention of HR in an audit that certain personnel are using the web interface to clock in and out when not actually at their designated work area. (Feign shock and disbelief generator disabled).... My question to the group is, given that the act of clocking in and out is 99.9% done on premise for the group that is in question, Could simply disabling the ability to clock in and out except from the two external IP addresses our company has be sufficient to stop this behavior? They are telling me that Paycom has this access control ability. Thank you for any help or advice you can offer. Hopefully I have provided enough information to work with but I am sure there is more to this than i am able to realize.



  • HR should already have this covered by firing the users that is not following policies.



  • @black3dynamite said in Securing Web Based Time Clock.:

    HR should already have this covered by firing the users that is not following policies.

    Amen. That was my first question. "I have not received a disable account request, why not?"



  • So long as your IPs are static I don't see anything additional that should be needed from an IT perspective.



  • @popester said in Securing Web Based Time Clock.:

    My question to the group is, given that the act of clo

    I usually do Geofencing with those HR systems.



  • @notverypunny said in Securing Web Based Time Clock.:

    So long as your IPs are static I don't see anything additional that should be needed from an IT perspective.

    Yes. We have two gateways, one through Spectrum business which carries the bulk of internet traffic. And one with Centurylink that carries Mission Critical traffic. If spectrum goes down it fails over to Centurylink and things are a little tight but traffic still flows.



  • Tell HR to pull a report with IP addresses connected to eaach clock punch and discipline offenders. Also tell the CEO that it is not IT's problem.



  • It really sucks to have to lock it down by IP. You might as well not have a cloud service at that point.

    I can also think of some valid reasons for employees to clock in our out off-site. Compliance training, travel, etc.

    I would put this responsibility on employees and not IT. Using a time clock is just part of working a job.



  • We use Paycomm and I can tell you, yes they have the ability to lock down clock punches to specific IPs, we instituted that on day one years ago. We have had zero issue with it. If someone needs to punch while offsite - they simply email their manager, who then updates the system.



  • So without a time clock, you can't be sure employees are at work or working? I haven't used a timeclock since my teens. I know this doesn't address your issue, but didn't realize time locks were still a thing. I only note time deviations at my current job, such as PTO or sick pay.

    However, I agree with the others. Fire people who are stealing from the company. Time = money, no difference here. As IRJ pointed out, limiting this from only Onprem may cause unintended limitations and force the bad actors to do it in other ways anyways. I'd only do that if they forced me to after explaining it may not be a real solution.


Log in to reply